Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
97% of Americans Cant Ace a Basic Security Test
Oldest First  |  Newest First  |  Threaded View
REISEN1955
REISEN1955,
User Rank: Ninja
5/20/2019 | 12:40:41 PM
OK but websites are not everything
What about complex passwords?  Dual authentication?  Reading suspect emails and acting on them?  Patch updating a system?  Intallation of suspect software often with PUPs?  Usage of a VPN service?  All important too and many likely to infection and perhaps destroy a system.  Websites are not everything. 
whislock
whislock,
User Rank: Apprentice
5/20/2019 | 2:17:29 PM
Re: OK but websites are not everything
I have to ask why you'd even say this. There's a certain "hierarchy of knowledge" when it comes to non-technical users. Below multi-factor authentication, below VPNs (commercial VPN services are a massive security issue, why would you say this?), below the recognition of suspect software, you have the base of the pyramid, which is a basic understanding of the everyday security concepts of using the Internet and what threats exist. No, websites aren't everything, but websites are 99% of what the everyman does on the Internet day to day. If they lack even that basic understanding, why would you even suggest more advanced security concepts? That's like telling them to install a state-of-the-art home security system with all the bells and whistles when they can't even figure out to close the front door.
R.Hicks
R.Hicks,
User Rank: Author
5/20/2019 | 4:41:29 PM
Re: OK but websites are not everything
While I tend to agree with you Whislock, there are also several elements missing from the story that could greatly affect the results. For example, there is no mention of the average age (only that all participants were over 16 years old) and I'd expect poorer performance from an octogenarian than a millenial. If the average age were 30 though I would be more concerned. Alsom the sample size was only 2,000, which is not a representative sample of all Americans. I do see REISEN1955's point though - whether or not a website uses HTTP vs. HTTPS isn't necessarily indicative of whether or not the link is "OK" as the article states and there is far more to security than URL analysis. I think a link to the poll and more information about the sample that participated would help clarify the severity of the findings.
nYdGeo
nYdGeo,
User Rank: Apprentice
5/21/2019 | 9:54:10 AM
More website creators is simply better?
After reading the entire post and seeing again and again how much the average citizen does not know about Cyber Security, can someone explain to me why more Americans planning on creating websites is a good thing?  Is this based on the assumption that by doing so, we're confident that they'll take the time and put forth the effort to learn the basics of website security?  If so, that seems like an assumption as best.  If anyone can help me understand this point, I'd appreciate it.
escortrides
escortrides,
User Rank: Apprentice
5/21/2019 | 6:49:47 PM
Re: OK but websites are not everything
 


 
REISEN1955
REISEN1955,
User Rank: Ninja
5/22/2019 | 1:47:46 PM
Re: OK but websites are not everything
This should really be a FULL discussion of security.  Before moving to Georgia in 2014, I performed self-employed managed services for small  business and residential - the latter was not huge money but it was a bit of income that kept good dinners on the reservation list.  And the security knowledge in sum total of all homeowners was about nill!!!   One charming older couple got whacked by the Microsoft tech scam - lost everything.  (They called when I was in Georgia and I faulted myself for lacking a domestic backup strategy).

My other residentials were technically non-compliant (read that plain dumb).  In hindsight, I should have done far more them than I did and that is through my current position in a malware forensics CSirt department - increased knowledge across the board.  I did not have THAT up north and did not pass it to my clients, my bad.  But by basis knowledge alone they were all lacking in sophistication and not one would know HTTP from HTTPS at all - even less dual authentication, complex passwords, clicking on links, etc.  
miriamguimel
miriamguimel,
User Rank: Apprentice
5/22/2019 | 4:18:42 PM
Re: OK but websites are not everything
Lots of websites use passwords that are at least 8 characters long, but most websites unfortunately don't have 2FA, I think it's too soon for these settings

 

 
REISEN1955
REISEN1955,
User Rank: Ninja
5/24/2019 | 8:40:13 AM
Re: OK but websites are not everything
I addressed just home users - my bad as most people go to work and therein, not having a basic idea, also commit stupid mistakes in judgment.  There is a video here of the subject on user education being critical as the front line of defense - all true. An amazing number of issues could be avoided IF people had just a basic idea of maybe 10 or 20 NO NO NO moves.  But that rarely is done. One great inside email campaign spoofed a spoof email and if users clicked on the link, it brought them to an internal site that said in effect BAD YOU, you need corporate education and here is where to find it.  Register now.  Great idea. 


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file